Bump puma from 3.12.1 to 4.3.8

[dependabot[bot]]

Bumps puma from 3.12.1 to 4.3.8.

Release notes

Sourced from puma's releases.

v4.3.8

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

v4.3.6

https://github.com/puma/puma/compare/v4.3.5...4.3.6

A quick fix for a build error on Mac OS and a JSON require fix for those using phased restart.

• Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (#2304)
• Don't require json at boot (#2269)

v4.3.0 - Mysterious Traveller

Mysterious Traveller

• Features

  • Strip whitespace at end of HTTP headers (#2010)
  • Optimize HTTP parser for JRuby (#2012)
  • Add SSL support for the control app and cli (#2046, #2052)

• Bugfixes

  • Fix Errno::EINVAL when SSL is enabled and browser rejects cert (#1564)
  • Fix pumactl defaulting puma to development if an environment was not specified (#2035)
  • Fix closing file stream when reading pid from pidfile (#2048)
  • Fix a typo in configuration option --extra_runtime_dependencies (#2050)

4.2.1

• 3 bugfixes
  • Fix socket activation of systemd (pre-existing) unix binder files (#1842, #1988)
  • Deal with multiple calls to bind correctly (#1986, #1994, #2006)
  • Accepts symbols for verify_mode (#1222)

4.2.0 - Distant Airhorns

• 6 features
  • Pumactl has a new -e environment option and reads config/puma/.rb config files (#1885)
  • Semicolons are now allowed in URL paths (MRI only), useful for Angular or Redmine (#1934)
  • Allow extra dependencies to be defined when using prune_bundler (#1105)
  • Puma now reports the correct port when binding to port 0, also reports other listeners when binding to localhost (#1786)
  • Sending SIGINFO to any Puma worker now prints currently active threads and their backtraces (#1320)
  • Puma threads all now have their name set on Ruby 2.3+ (#1968)
• 4 bugfixes
  • Fix some misbehavior with phased restart and externally SIGTERMed workers (#1908, #1952)
  • Fix socket closing on error (#1941)
  • Removed unnecessary SIGINT trap for JRuby that caused some race conditions (#1961)
  • Fix socket files being left around after process stopped (#1970)
• Absolutely thousands of lines of test improvements and fixes thanks to @​MSP-Greg

... (truncated)

Changelog

Sourced from puma's changelog.

4.3.8 / 2021-05-11

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

4.3.7 / 2020-11-30

• Bugfixes
  • Backport set CONTENT_LENGTH for chunked requests (Originally: #2287, backport: #2496)

4.3.6 / 2020-09-05

• Bugfixes
  • Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (#2304)
  • Don't require json at boot (#2269)

4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22

Each patchlevel release contains a separate security fix. We recommend simply upgrading to 4.3.5/3.12.6.

• Security
  • Fix: Fixed two separate HTTP smuggling vulnerabilities that used the Transfer-Encoding header. CVE-2020-11076 and CVE-2020-11077.

4.3.3 and 3.12.4 / 2020-02-28

• Bugfixes
  • Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
• Security
  • Fix: Prevent HTTP Response splitting via CR in early hints. CVE-2020-5249.

4.3.2 and 3.12.3 / 2020-02-27 (YANKED)

• Security
  • Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.

4.3.1 and 3.12.2 / 2019-12-05

• Security
  • Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.

4.3.0 / 2019-11-07

• Features

  • Strip whitespace at end of HTTP headers (#2010)
  • Optimize HTTP parser for JRuby (#2012)
  • Add SSL support for the control app and cli (#2046, #2052)

• Bugfixes

  • Fix Errno::EINVAL when SSL is enabled and browser rejects cert (#1564)
  • Fix pumactl defaulting puma to development if an environment was not specified (#2035)

... (truncated)

Commits

• b911c13 4.3.8 release note
• 09bb777 Bump version constant
• 8088950 Close keepalive connections after MAX_FAST_INLINE requests
• f3c95af 4.3.7
• 77a90ec Backport set CONTENT_LENGTH for chunked requests (#2496)
• a418e5c Updates to 4.3.6 to pass CI, adds Ubuntu 20.04 [changelog skip] (#2380)
• 3e3647a v4.3.6
• 73cfdf5 Merge pull request #2314 from venables/fix-include
• fa54f4d Merge pull request #2269 from MSP-Greg/json-require
• a24b51b Bump version
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/arkency/find-open-source-mentor/network/alerts).

[dependabot[bot]]

Superseded by #53.